10 March 2014

Target Hacker Still Online

Daniel Brandt sends:

RE: http://www.cloudflare-watch.org/target2.html

2014-00074 Target CC Hack Exploiters Still Online ( February 9, 2014 )

Some progress has been made since you posted the above. By complaining to registries and registrars, 29 domains have been suspended. All are ostensibly from "Rescator" and were hiding behind CloudFlare. When a registry or registrar puts a domain on "hold," even CloudFlare cannot do anything. One can no longer reach CloudFlare, or anything else, from that domain because the DNS is disabled, and the domain does not resolve. I expect another five will be suspended soon.

Unfortunately, these suspended domains are minor domains. Most are probably "rippers" or decoys, and are not essential for the major perps behind the marketing of stolen Target credit-card data.

Nevertheless, suspending them sends a message to criminals that it's not worth using domains that are ICANN-affiliated. When the home page on such domains shows activity that is indisputably illegal, abuse complaints to ICANN-affiliated registries or registrars become possible. This includes dot-com, dot-net, dot-org, dot-biz, and dot-info domains.

That leaves many dozens of country-coded domains for which complaints are either impossible or useless. At the moment it looks like Rescator, who is suspected of living near Odessa, Ukraine, is using servers based in Russia. His latest moves suggest that he's beginning to use servers in Bulgaria, and is not even using CloudFlare to hide them.

I doubt that Rescator is getting nervous; I think he knows what he is doing, and has nothing to fear from authorities in the U.S.